In today's society, lack of security has become an increasing problem. Inadequate security can result in large financial losses. Providing security to known and unknown threats in physical and virtual spaces is important as we record information and lead our daily lives. Unfortunately, society appears to be progressing forward without concern for the consequences of some of its decisions.
Thus, there is a need for improved security without creating a significant burden on the user. The invention is directed to apparatuses and methods for improving system security that are not burdensome to a legitimate user, but are difficult for intruders to successfully navigate. Furthermore, many times secure systems must be protected against automated attacks, eavesdroppers, and others attempting to gain illegitimate entry. For example, automated attacks are able to attempt password permutations at a much faster rate than a human can.
Three authentication components that are commonly used to protect secure systems are, “What you know,” “What you have,” and “What you are.”
“What you know” is the most common form of authentication and in the prior art more security is provided by increasing the possible permutations or to add additional authentication steps. With computing power continually increasing these techniques provide marginal increases in security, as computers can execute millions of passwords per second where a human normally takes a second or so to enter a single password.
“What you know” is information that the user knows, such as a password, that others do not know. Authentication systems that fall into the “What you know” category include but are not limited to: alphanumeric passwords, Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA), personal identification numbers (PINs), patterns, gesture, images, movement(s), spoken passwords, passwords in general, and others familiar to those skilled in the field.
“What you have” is a physical object that you possess, such as a physical key. Authentication elements in the “What you have” category include but are not limited to: a smart key, a physical key, an RFID (Radio Frequency Identification) key, an NFC (Near Field Communication) key, a USB (a key in the form of a plug-in for a Universal Serial Bus), and others familiar to those skilled in the art.
“What you are” is a user's physical characteristics, such as biometrics, fingerprints, retina scans, etc. Authentication systems in the “What you are” category include but are not limited to: biometrics, fingerprints, voice patterns, voice passwords, retina scans, facial recognition, pressure, weight, and others known by those skilled in the art.
Secure systems require a key, digital, electronic, mechanical or otherwise, to gain entry or access. Methods for gaining access to a secure system are referred to herein as a secure system act. In the prior art a single secure system act or a combination of secure system acts are required to gain access to the secure system. Any number of secure systems acts can be required to gain access to a secure system. The present application describes each secure system act individually, recognizing that multiple secure system acts may be required to gain access.
A password is typically a sequence of alphanumeric characters. Entry of one or more passwords is a common secure system act for gaining entry to a secure system, such as a computer. Alphanumeric character passwords can also serve as a key to a form of encryption. That is, cryptographic keys can be protected using alphanumeric keys. The most common interface for entering an alphanumeric password is a keyboard, although it is known that there are many other input devices for entering a password. A secure system act can also comprise a username plus a password, i.e., a 2-tuple secure system act. Then only a known correct username/password combination allows entry to the secure system.
The alphanumeric password is a “what you know” element and only the persons authorized to access the system know this password. For instance, CAPTCHA is a form of an alphanumeric password where the alphanumeric password is displayed so that the persons authorized for access to the system should be able to read it. The user then enters the CAPTCHA password and gains entry. But a computer-based sensor cannot accurately read the CAPTCHA password and therefore will not gain entry to the system.
An alphanumeric password may consist of numbers, such as a PIN password. PIN passwords are commonly entered on physical keypads but entry is not limited to only physical keypads. For instance, an algorithmically generated PIN, such as those used in RSA tokens, is displayed. The user then enters the displayed PIN password to gain access to the secure system.
Pattern passwords e.g., gestures, spoken words and movements, are another common form of authentication to gain access to a secure system. The pattern can be, but is not limited to, moving an interface device such as a joystick in a pattern, tracing or drawing an image, signing a signature, or moving a finger in a certain pattern. The patterns are known only to the user and thus a pattern password is considered a “what you know” element.
Some common interface devices for entering a pattern password include a touch screen, such as those found on mobile devices and touch screen monitors, joysticks, controllers, keyboards, and number pads. This list is meant to be representative and it is understood that there are other forms of entering a pattern password.
Pattern passwords can have a discrete or variable number of possible entries. For instance, mobile devices can be protected with nine proxy points that the user's movement is mapped to. Each proxy point can only be activated once, meaning a pattern password has a discrete number of possible entries; for example a nine proxy point system has 362,880 discrete entries. Another common interface for entry of a discrete pattern password is a numeric keypad; where there are ten proxy points that can be used any number of times, with a limit on the pattern password length. Other common “What you know” pattern authentication elements are known by those skilled in the art.
Another common way to restrict access to a secure system requires a specific physical device, “What you have”, such as physical key. The most common physical security key is a physical key for insertion into a keyhole. In one common implementation of a physical key system the user inserts the key into the keyhole and then turns it to gain access to the secure system or space. Other common “what you have” authentication elements include, but are not limited to, smart keys, NFC keys, audio keys, RFID keys, embedded chips/identifiers, credit/debit cards, physical keys, and USB drives. A “What you have” authentication process assumes that only the persons authorized for access to the secure system has the physical key.
Biometrics, “what you are,” is another common element for restricting access to a secure system. A common biometric is the fingerprint. The fingerprint is read by a scanner to determine if the user is authorized for accessing the secure system. Other common biometrics include but are not limited to, voice patterns, retina scans, and facial recognition.
Any secure system act can be combined with other secure system acts to make the authentication process more secure. For instance, a common two-element authentication process prompts the user to enter his username and password then a text is sent to his mobile device. The text contains a PIN that the user must enter next. Also, a credit/debit card requires use of a physical card as well as entering the associated PIN or billing zip code.
Providing security to known and unknown threats is important as more of personal and private information and data about each of us is stored in systems that are expected to be secure. We also trust our livelihood and safety to systems such automobiles, cryptography, infrastructure, and physical locks.